Re: Third Party Authentication

From: Vin McLellan <vin_at_shore.net>
Date: 1995/04/22
Message-ID: <vin-2204952222550001_at_slip-0-28.shore.net>

In article <3n7dhc$t6v_at_westie.mid.net>, RAHolmes_at_ace.mid.net wrote:

> I am looking for third party authentication products that can be used
>
> in our mixed environment.

RAH: Attached is the appendix on vendors that was published with the Internet CERT (Computer Emergency Response Team) Report on Network Monitoring Attacks in February, 1994. This might be useful to you (and others, so I publicly post it every tenth time I mail it off to someone;-) The mixed environment makes it interesting, but the bigger companies below ought to be able to help you (or will be able to within months.)

I've also added a few companies that CERT didn't list...

Suerte,

_Vin McLellan
The Privacy Guild

/////////////////CERT Text Follows ////////////

ONE-TIME PASSWORDS Given today's networked environments, CERT recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CERT has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text.

Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization, and each organization should perform its own evaluation and selection.

I. Public Domain packages

S/KEY(TM) The S/KEY package is publicly available (no fee) via anonymous FTP from:

thumper.bellcore.com /pub/nmh directory

There are three subdirectories:

skey UNIX code and documents on S/KEY. Includes the change needed to login, and stand-alone commands (such as "key"), that computes the one-time password for the user, given the secret password and the S/KEY command.

dos DOS or DOS/WINDOWS S/KEY programs. Includes DOS version of "key" and "termkey" which is a TSR program.

mac One-time password calculation utility for the Mac.

II. Commercial Products

Secure Net Key (SNK) (Do-it-yourselfproject) Digital Pathways, Inc., 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: (415) 961-7487

Products: handheld authentication calculators (SNK004) serial line auth interruptors (guardian)

Note: Secure Net Key (SNK) is des-based, and therefore restricted from US export.

SecurID (complete turnkey systems) Security Dynamics, One Alewife Center, Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: (617) 354-8836

Products: SecurID changing number authentication card ACE server software

SecurID is time-synchronized using a 'proprietary' number generation algorithm

WatchWord and WatchWord II Racal-Guardata, 480 Spring Park Place, Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217

Products: Watchword authentication calculator Encrypting modems

Alpha-numeric keypad, digital signature capability

SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: (510)827-2593

Products: DES Silver card authentication calculator SafeWord Multisync card authentication calculator

Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as other OS versions. Supports one-time passwords and super smartcards from several vendors.

                      
                Products: 
                        software chall/response authentication: LOCKout DES
                        PCMCIA authentication/encryption: LOCKout Tessera
                        
 (End CERT TEXT>>>>>>>>>>>>>>>>>>>

You might also want to contact:

Secure Computing Corporation: 2675 Long Lake Road Roseville, MN 55113 Tel: (612) 628-2700 Fax: (612) 628-2701 debernar_at_sctc.com
Arnold Consulting, Inc. 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Phone : 608-278-7700 Fax: 608-278-7701 Email: Stephen.L.Arnold_at_Arnold.Com Product: CRYPTOCard.
Management Analytics PO Box 1480 Hudson, OH 44236 Email: fc_at_all.net Tel:US+216-686-0090 Fax: US+216-686-0092 Products: ArKey and OneTime Pass (OTP)
Adventure Group 145, Rue JJ Rousseau 92138 ISSY-LES-MOLINEAUX CEDEX, France Tel: (33.1) 41.08.33.33 Product: ActivCard

Surete,

_Vin

-- 
Vin McLellan +The Privacy Guild+ <vin_at_shore.net> USA
Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. O2150
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

-- 
Vin McLellan +The Privacy Guild+ <vin_at_shore.net> USA
Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. O2150
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Received on Sat Apr 22 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: Bethan Roberts: "Reverse Engineering"
Previous message: Jonathan Lewis: "Running totals in SQL*Plus: a 7.1 solution"
In reply to: RAHolmes_at_ace.mid.net: "Third Party Authentication"
In reply to RAHolmes_at_ace.mid.net: "Third Party Authentication"
Next in thread: George Dau: "Re: FAQ"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message